Comments on Quaji: Facebook CSRF attack - Full Disclosure

Sometimes I think ignorance is bliss. What an eye-...

2011-10-26T17:09:48.745+02:00

Sometimes I think ignorance is bliss. What an eye-opener. Thanks.

That is ingenious ... to follow up on Anonymous...

2011-10-19T09:09:43.196+02:00

That is ingenious ... to follow up on Anonymous' question - has this hole been fixed by now? Seems even browsing with facebook still logged in poses a security risk

Great Post! What exactly did Facebook do in order...

2011-07-18T11:51:53.036+03:00

Great Post!

What exactly did Facebook do in order to resolve this issue?

Thanks!
Itay.

Very interesting presentation of the malicious att...

2010-12-13T22:05:18.770+02:00

Very interesting presentation of the malicious attack techniques. Makes me want to play safe and avoid social media networking sites such as Facebook, Twitter and Delicious. Are the attacks actually stoppable if those sites worked hard enough at repelling attack attempts?

I've lately been reading a lot about different...

2010-06-24T11:37:50.364+03:00

I've lately been reading a lot about different vulnerabilities and I keep getting astonished how simple, yet elegant the attacks finally are. This article is no exception to that. Thanks!

What was the greatest hidden

2010-01-30T14:34:25.750+02:00

What was the greatest hidden

Good work. Facebook acts as a proxy - and what if ...

2010-01-13T18:40:45.194+02:00

Good work. Facebook acts as a proxy - and what if you place your own proxy in front of Facebook?

Watch

http://www.hacking-lab.com/movies/rp2/

I can see how you redirected from firstimage.jpg t...

2009-11-26T23:36:08.776+02:00

I can see how you redirected from firstimage.jpg to malicious1.php but not how you managed to redirect back to a valid image.

It seems to me that as soon as I redirect the image to a php and some html is executed, the image breaks. I tried to meta refresh from the php to a valid image, but to no avail.

Could you elaborate on this?

/Jonas

PS. I'm not talking about this vulnerability but the image->csrf->image tactic in general.

This will be a pretty useful for all facebook user...

2009-10-05T15:07:20.342+02:00

This will be a pretty useful for all facebook users. I hope people can get maximum from this. Thanks for the detailed post.

A few clarification: 1. There is no need to pre-ap...

2009-09-03T15:47:29.346+03:00

A few clarification:
1. There is no need to pre-approve the app. That was in a sense the whole point of the attack. The vulnerable mechanism, aptly called Automatic Authentication, sends the app some information *before* the user approves it.

2. Only publicly available information was disclosed. So if you set your details to private, you were safe. But as I wrote, the default option is public which means that the vast majority of users have it set just so.

Great article! Thanks :)

2009-08-28T12:04:41.691+03:00

Great article! Thanks :)

Interesting. This exactly the reason I have compl...

2009-08-27T07:03:28.824+03:00

Interesting. This exactly the reason I have completely fake information and photos on my facebook account! ;-) bb

Amazin. Great job :)

2009-08-25T21:24:28.123+03:00

Amazin. Great job :)

Ajuaa con solo colocar el nombre de la persona tam...

2009-08-25T17:22:27.768+03:00

Ajuaa con solo colocar el nombre de la persona tambien puedes acceder a esa informacion si la persona accede a sus datos aqui le dejo un ejemplo: BUSQUEN EN GOOGLE COOKUI MAUSTER y ahi les sale el come galleta del video lo unico diferente es que tienes que buscar a la gente si no que atraes a gente seleccionado

Thank you for sharing that information in a detail...

2009-08-25T12:51:35.121+03:00

Thank you for sharing that information in a detailed post!

I have a question. You wrote "these details include..." Could you be more precise about the information that is effectively stolen and provide an exhaustive list?

Don't know what to say other than "it is ...

2009-08-24T10:53:13.102+03:00

Don't know what to say other than "it is damn good writing".

BTW, this forces me use a dedicated browser for FB. Wonder if it still work under incognito/private window.

Maybe I'm missing something. The hacker can g...

2009-08-24T06:11:17.021+03:00

Maybe I'm missing something. The hacker can get your user name, profile picture, and friends list. So what? He does not have your password. And he is not a friend to your friends. So what can he do to you?

I'm impressed but now I am extremely suspiciou...

2009-08-23T23:53:29.483+03:00

I'm impressed but now I am extremely suspicious of all apps. Time to remove some personal info and photos. We need more info like this.

nice hack!

2009-08-21T23:34:07.185+03:00

nice hack!

Great work! I'm curious, what specifically ha...

2009-08-21T23:23:54.655+03:00

Great work! I'm curious, what specifically has Facebook changed in response to this attack?

I just confirmed that you DO have to have added th...

2009-08-21T22:24:56.827+03:00

I just confirmed that you DO have to have added the app for this to work. So you have at some point already agreed to give this info to the app.

That said the writeup is good, just wrong.

Well played sir.

2009-08-21T16:54:25.354+03:00

Well played sir.

Hey Ronen Z , cool information. By this kind of a...

2009-08-21T10:30:19.273+03:00

Hey Ronen Z ,

cool information. By this kind of attacks have been already been notified Its more like Phishing :-) , But still yes you have done a great Job in explaining it i appreciate it ;-)

Regards
Vijay

IT dosnt say it. Have you tried it? The video is ...

2009-08-21T00:26:45.534+03:00

IT dosnt say it. Have you tried it? The video is by the developer of the app. (who automaticaly is added to the app).

To 'anonymous': Where does it say you have...

2009-08-20T23:15:54.518+03:00

To 'anonymous': Where does it say you have to have added the app? The description and video would appear to indicate that you do *not* have to do this at all.

To inquirer: An HTTP server can respond to any request with a redirect, that's independent of what's being requested.